From c929b7ab78536f3bdb7328f1cb62d2160e50c482 Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Thu, 19 Jan 2012 22:41:55 +0000 Subject: [PATCH] Merge r1233604 from trunk: Adjust CVE-2011-3368/CVE-2011-4317 fixes to rely solely on core's translate-name to fail unsupported URIs. Rewrite and proxy now decline what they don't support rather than fail the request. Suggested by: trawick Implemented by: jorton Tweaked by: wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1233619 13f79535-47bb-0310-9956-ffa450edef68 --- modules/mappers/mod_rewrite.c | 11 ++--------- modules/proxy/mod_proxy.c | 11 ++--------- server/protocol.c | 20 -------------------- 3 files changed, 4 insertions(+), 38 deletions(-) diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 17f52cba24..c2cbd70553 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -4419,18 +4419,11 @@ static int hook_uri2file(request_rec *r) return DECLINED; } - if (strcmp(r->unparsed_uri, "*") == 0) { - /* Don't apply rewrite rules to "*". */ + if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') + || !r->uri || r->uri[0] != '/') { return DECLINED; } - /* Check that the URI is valid. */ - if (!r->uri || r->uri[0] != '/') { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00668) - "Invalid URI in request %s", r->the_request); - return HTTP_BAD_REQUEST; - } - /* * add the SCRIPT_URL variable to the env. this is a bit complicated * due to the fact that apache uses subrequests and internal redirects diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index 751c88594b..3764650a9c 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -656,18 +656,11 @@ static int proxy_trans(request_rec *r) return OK; } - if (strcmp(r->unparsed_uri, "*") == 0) { - /* "*" cannot be proxied. */ + if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') + || !r->uri || r->uri[0] != '/') { return DECLINED; } - /* Check that the URI is valid. */ - if (!r->uri || r->uri[0] != '/') { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01137) - "Invalid URI in request %s", r->the_request); - return HTTP_BAD_REQUEST; - } - /* XXX: since r->uri has been manipulated already we're not really * compliant with RFC1945 at this point. But this probably isn't * an issue because this is a hybrid proxy/origin server. diff --git a/server/protocol.c b/server/protocol.c index 5a9135c8b2..11a82e1acb 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -655,26 +655,6 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) ap_parse_uri(r, uri); - /* RFC 2616: - * Request-URI = "*" | absoluteURI | abs_path | authority - * - * authority is a special case for CONNECT. If the request is not - * using CONNECT, and the parsed URI does not have scheme, and - * it does not begin with '/', and it is not '*', then, fail - * and give a 400 response. */ - if (r->method_number != M_CONNECT - && !r->parsed_uri.scheme - && uri[0] != '/' - && !(uri[0] == '*' && uri[1] == '\0')) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00559) - "invalid request-URI %s", uri); - r->args = NULL; - r->hostname = NULL; - r->status = HTTP_BAD_REQUEST; - r->uri = apr_pstrdup(r->pool, uri); - return 0; - } - if (ll[0]) { r->assbackwards = 0; pro = ll; -- 2.40.0